At last week’s ITSPA Council meeting we discussed nuisance calls. This post on on the subject was written by Pete Farmer, writing in a personal capacity. Pete is the Commercial and Regulatory Manager for Gamma a wholesale supplier of telecoms services. Pete is a colleague on the ITSPA Council and chairs their Regulatory Committee. His contact details can be found via his LinkedIn profile.
No-one doubts for a second that silent or abandoned calls – the current focus of Ofcom’s attentions whereby predictive diallers make more calls than they have agents for- are a pain. It is even worse for a vulnerable person to receive a prank call at 3am let alone one where the content is potentially violent or sexual. These are often criminal acts that require decisive action from law enforcement.
What people don’t talk about so much though, is the effect such calls have on businesses. The economic harm as well as the effect on the staff can be commensurate with that suffered in a residential setting.
A business can of course be pseudo-domestic; by which I mean that a plumber, electrician or window cleaner procures their telephony services much as they would at home – the effect of nuisance calls on such a sole trader is as apparent at work as it is at home. But as we rise through the ranks of business size, the effect is less apparent, and I am afraid to say, sometimes feels as if it is taken less seriously.
Pretty much all major networks have a Malicious Calls Bureau or equivalent; a team of trained people who understand the issues, can help deal with them and are very good at what they do. However, one of the best moves in their playbook will be to offer to change your number. That’s inconvenient for a person at home, but not the end of the world, considering the potential benefit.
However, how do you change the phone number of a call centre? Or a bank? Or your shop? My experience of doing enforced number changes with months of notice is bad enough in a business, but in a hurry? No chance!
So that leaves you with just the option of blocking. The advent of IP networks has heralded huge innovation and flexibility in telephony; Caller Line Identifications (“CLIs”) can be changed on demand (which, I hasten to add, can be done for perfectly useful and legitimate purposes (e.g. presenting a switchboard number for people to return missed calls), but can also be usurped for nefarious means.
The two most recent nuisance calls incidences I have had the misfortune to deal with have been aimed at large business call centres. The first lasted for 6 weeks – the route of the call was convoluted and transited four separate carriers before arriving at the terminating end. All the CLI information had been stripped and the volume ramped up to some 20-25% of calls a day received by the call centre.
The problem here was twofold:
- You can’t just block certain CLI presentation information (or the absence of it) because you’ll end up blocking genuine calls and lose the business valuable leads etc. Also it is well known that internationally originated calls can have strange things happen to the CLI – my favourite is Iran – 0098, if the leading digit is lost, you end up presenting an 098 number, which would be a violation of Ofcom regulations.
- The second problem is getting the impact taken seriously. When the originating network was finally traced, they refused to deal with it in the first instance because “as a business number, of course it receives a high volume of calls”. Thankfully, common sense prevailed, but if it had been a residential consumer, I doubt it would have taken so long to resolve.
Ignoring the opportunity cost of missed leads, if that call centre had 10 full-time minimum wage staff, and was occupied 25% of the time with such calls, that’s £3,500 of direct harm in salaries alone.
Voice over IP SPAM is called “SPIT” – short for SPAM over Internet Telephony. This incident clearly fell into that category. Extrapolating it, there’s an Armageddon scenario at the end. If you have more channels of outgoing VoIP than your target has for incoming calls, you can effectively launch a denial of service attack (a la those that bring down websites) on their call centre or business.
The saving grace here is that they were “prank calls”. The second, similar case, were calls of a frankly sickening nature, which due to their ingress point on the network were thankfully easier to block than the first, but the harm on the staff at that call centre was obviously as emotional as it was economic. The problem with this case though, was the age old one in telecommunications; the involvement of law enforcement. Ofcom has specific powers to deal with malicious calls and fraud, as do the Police. However, the stock line for the Police is to ask the victim to maintain contact only with them on the matter, which is an issue when there is a reseller and a network impacted and needing to be involved and able to invoke the powers of their regulator too.
Thankfully, through informal conversations with Ofcom (and a brief one with a contact in the Home Office), I am pleased to see they recognise some of these issues (such as the CLI Presentation guidelines only having been last substantively updated in 2007) and have committed, where there is synergy with the existing work streams on silent and abandoned calls, to ensure malicious calls and businesses get the attention they require.
In the meantime, there are some specific issues the telecommunications industry can work on itself to help mitigate the problem.
- Due diligence on customers and their end points; do you have the correct CLI presentation rules embodied in your provisioning processes and network devices to stop illegitimate manipulation and comply with the Ofcom regulations?
- Basic security. A SPIT attack can be as effectively launched from a hacked (physical or soft) PBX as it could from a VoIP Botnet or a SIP trunk into your network.
- Decent revenue assurance processes; do you monitor strange call patterns on your network? Do you investigate out of the ordinary spikes in traffic or calling patterns?
I am pretty sure everyone reading this can tick those three, but the fourth is perhaps the most important in this context:
- A malicious or nuisance calls attack on a business can be as harmful as one on a regular consumer – that’s not to say it is more harmful, or needs prioritising over others, but it deserves to be treated with the same diligence and respect as any other such situation.